Overview

overview

10

Static

static

bac012a327...ea.exe

windows7_x64

5

bac012a327...ea.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    166s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    07-09-2021 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe

  • Size

    47KB

  • MD5

    268c50b286c5e44c889b6c5489e9d337

  • SHA1

    addbcadf2d4b2d59ff434deed3ce5605ec7dd35e

  • SHA256

    bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea

  • SHA512

    71c240d4598131e1f78ae09042b7e4883713d5b94001cf3634543941e1cffa3efa8890d3c75d8b10f9ec368e3c4fb27fdd929228120ad1eaaff32159fa8a25f6

Score
10/10
njrathackedevasionsuricatatrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

joker3.publicvm.com:1177

Mutex

15ead12f68fe505287e8638b19794a4d

Attributes
  • reg_key

    15ead12f68fe505287e8638b19794a4d

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe
    "C:\Users\Admin\AppData\Local\Temp\bac012a32743dde9c413005e56b3a9ab7874af2cf7a67ee9ba6b7c2ca0f687ea.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2036
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2392
        • \??\c:\windows\SysWOW64\cmstp.exe
          "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\dwwkqwxf.inf
          3⤵
            PID:4016
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c start C:\Windows\temp\yh0v0end.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3704
          • C:\Windows\temp\yh0v0end.exe
            C:\Windows\temp\yh0v0end.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Windows\temp\yh0v0end.exe" "yh0v0end.exe" ENABLE
              4⤵
                PID:748
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /IM cmstp.exe /F
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2176

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Temp\yh0v0end.exe
          MD5

          2e5cc82bf3792613e217cb71100d42d8

          SHA1

          d53f73ec6c9466baff5b00c9618d1def74d00337

          SHA256

          d325902342e6787594c11b1be01afffb4bf8d839f21ae03a76e16f37a55e4240

          SHA512

          3b20491ac43445a326a8cac6919d387d2921cd3e45e5d2814b4a128e58baed4ba88972b9c1c7ed4b21b58f2a4ab9c09f6cc1735b4e494336dd2efd5043eeecb6

          Download Submit
        • C:\Windows\temp\dwwkqwxf.inf
          MD5

          48b9d834bd8b5e211e75fcd16cb7f918

          SHA1

          668be1330d5abdb8f471377ecbba91e00a0993fc

          SHA256

          a2a16d8c2e9d63147c2bfdf0a907a967df56dd0f4eab3007115e3d028a590931

          SHA512

          80a051fb19ce0d22f6b7ad9f94ae9c2454089c843382a54fde95b6453f2c2f0c1d381eda13904721aa13a53983cf4858ffb2c1ef0c2ec19c28b8fd589735d10e

          Download Submit
        • C:\Windows\temp\yh0v0end.exe
          MD5

          2e5cc82bf3792613e217cb71100d42d8

          SHA1

          d53f73ec6c9466baff5b00c9618d1def74d00337

          SHA256

          d325902342e6787594c11b1be01afffb4bf8d839f21ae03a76e16f37a55e4240

          SHA512

          3b20491ac43445a326a8cac6919d387d2921cd3e45e5d2814b4a128e58baed4ba88972b9c1c7ed4b21b58f2a4ab9c09f6cc1735b4e494336dd2efd5043eeecb6

          Download Submit
        • memory/748-140-0x0000000000000000-mapping.dmp
          Download
        • memory/800-120-0x00000000051C0000-0x00000000051C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-118-0x0000000004F40000-0x0000000004F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-121-0x0000000004F50000-0x0000000004F5B000-memory.dmp
          Filesize

          44KB

          Download
        • memory/800-122-0x00000000054B0000-0x00000000054B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-116-0x00000000054E0000-0x00000000054E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-114-0x00000000006F0000-0x00000000006F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-119-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/800-117-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2176-138-0x0000000000000000-mapping.dmp
          Download
        • memory/2392-124-0x0000000000408F5E-mapping.dmp
          Download
        • memory/2392-132-0x0000000005250000-0x000000000574E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2392-131-0x0000000005250000-0x000000000574E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2392-123-0x0000000000400000-0x000000000040E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/3028-135-0x0000000000000000-mapping.dmp
          Download
        • memory/3028-139-0x0000000001810000-0x0000000001811000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3028-141-0x0000000001811000-0x0000000001812000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3704-134-0x0000000000000000-mapping.dmp
          Download
        • memory/4016-129-0x0000000000000000-mapping.dmp
          Download